Security
We treat security as a first-class feature of the gateway, not something we’ll get to later. Here’s what we do — and how to tell us when we get it wrong.
Responsible disclosure
Found a vulnerability? Email [email protected] with details and, where possible, a reproduction. We will:
- Acknowledge your report within one business day.
- Provide a triage decision (severity, expected fix window) within five business days.
- Credit you in our changelog when the fix ships — unless you ask us not to.
- Not pursue legal action against good-faith research that avoids data destruction, service disruption, or accessing data that isn’t yours.
Please give us a reasonable window to fix the issue before publishing — typically 90 days, sooner for low-impact issues.
What we do, in plain terms
- Encryption at rest: all sensitive credentials (BYOK provider keys, OAuth tokens, webhook secrets) are encrypted with AES-256-GCM using a key held in the host environment, never in the database.
- Encryption in transit: all public endpoints terminate TLS 1.2 or higher; the gateway itself rejects anything below 1.2.
- Password hashing: bcrypt with cost factor 12. We do not store plaintext passwords, nor do we ever email them.
- API key + token hashing: raw tokens are shown once at creation and never again; the database only ever holds a SHA-256 hash, so a database leak cannot replay your keys.
- Webhook signatures: outbound webhooks carry an HMAC-SHA256 signature; verification on receipt is constant-time.
- SSRF guard on BYOK: bring-your-own-key endpoints are validated against a private-network blocklist (RFC 1918, loopback, link-local, AWS / GCP / Azure metadata IPs) before any outbound request fires.
- Rate limits: unauthenticated POST routes (login, register, password reset, waitlist) are rate-limited per IP to blunt credential-stuffing and enumeration.
- Zero data retention (ZDR): Team tier and above can opt into ZDR mode, which disables prompt/response metadata logging end-to-end.
- CSP + frame-ancestors: the dashboard ships a strict Content Security Policy and refuses to be framed, blocking common clickjacking vectors.
More detail
For how we collect and retain data, see the Privacy Policy. Enterprise buyers can request a security questionnaire, our DPA, and a sub-processor list from [email protected].